Cyberattacks are a growing threat for increasingly connected medical devices. [Photo by Koonsiri via Stock.Adobe.com]
One in three healthcare organization executives listed connected medical devices and other operational technology (OT) as their top cybersecurity concern in a survey commissioned by RunSafe Security.
RunSafe said it surveyed 605 executives at hospitals and healthcare organizations in the U.S., UK, and Germany who are involved in medical device purchasing and familiar with their organization’s cybersecurity protocols.
The cybersecurity software vendor asked those decision-makers about cybersecurity incidents involving medical devices and how cybersecurity factors into their device purchases, with three-fourths of respondents saying their organizations have increased their medical device and OT security budgets in the past year.
About one-fifth of the respondents said cyberattacks have impacted medical devices at their healthcare organizations, with 75% of those incidents affecting patient care, including delayed diagnoses or procedures, extended patient stays, and/or patient transfers to other facilities.
The most common medtech affected by those cybersecurity incidents were imaging systems (41%), followed by patient monitoring devices (40%), lab/diagnostic equipment (34%), infusion pumps (23%), networked surgical equipment (19%) and implantable devices (also 19%).
Asked about their most significant medical device cybersecurity incidents, 51% identified malware infections requiring device quarantine, followed by network intrusion requiring device isolation (44%), ransomeware affecting device operation (37%), remote access exploitation (28%), supply chain compromise (26%), vendor-identified vulnerabilities requiring immediate patching (24%) and data exfiltration from connected devices (23%).
“Cybercriminals are shifting from opportunistic attacks to systematically targeting the medical devices that patients rely on for life-sustaining care, compelling healthcare leaders to acknowledge that operational technology security is now a patient safety imperative,” RunSafe said in the report.
What medical device buyers want for cybersecurity
The survey also found 83% of healthcare organizations integrate cybersecurity standards directly into their request-for-proposals, 38% include detailed security requirements and nearly half (46%) declined to purchase medical devices due to cybersecurity concerns. More than 70% of survey respondents said new regulations and guidance from the FDA and EU are influencing their procurement decisions.
Related: The FDA is issuing cybersecurity deficiency letters — here’s how to make sure you don’t get one
“Vendors without built-in protections risk disqualification,” RunSafe said. “Cybersecurity has become a gatekeeper to market access, with procurement processes now serving as the first line of defense against vulnerable devices entering healthcare environments.”
“This new reality is also reshaping vendor relationships,” RunSafe continued. “Nearly a third (32%) of healthcare organizations surveyed say security incidents have not only affected their trust in specific vendors, but they also now require additional security verification from previously trusted vendors.”
Survey respondents identified the top device cybersecurity features that influence their purchasing decisions: built-in cybersecurity protections (60%), strong access controls (52%), timely security patches (46%), transparent culnurability disclosure (39%), software bill of materials (SBOMs) for software component transparency (39%) and memory/runtime protection (also 39%).
RunSafe said SBOMs are essential or important in device procurement decisions for nearly 80% of organizations.
“Regulatory pressure is undoubtedly contributing to this, but so is practicality,” RunSafe said. “The FDA now requires SBOMs in premarket submissions for cybersecurity preparedness, but healthcare buyers also recognize that understanding software components is fundamental to ongoing vulnerability management.”
“However, generating comprehensive and accurate SBOMs is a challenge for many embedded medical devices, which are often written in C/C++,” the report continued. “Traditional binary analysis SBOM solutions produce high numbers of false positives and miss key components, like static libraries. Healthcare organizations are increasingly seeking vendors who can provide build-time SBOM solutions that accurately capture only the components actually present in the final device, streamlining vulnerability identification and response.”
The report says hospitals and healthcare organizations are willing to pay more for devices with cybersecurity features, with 79% of healthcare buyers in the survey saying they’re willing to pay a premium for devices with advanced runtime protection or built-in exploit prevention.
“The data shows an industry in transition, where 46% of healthcare organizations decline purchases based on security concerns, where SBOMs have become mandatory requirements rather than optional documentation, and where buyers demonstrate willingness to pay premium pricing for advanced protection,” the report said. “For medical device manufacturers, this transformation presents both opportunities and imperatives. Those who embrace transparency through comprehensive SBOMs, integrate runtime protections and built-in security, and demonstrate proactive vulnerability management will find themselves positioned to capture market share in an industry increasingly willing to invest in advanced protection. Conversely, manufacturers who treat cybersecurity as an afterthought risk not just regulatory rejection, but exclusion from a market that has fundamentally redefined what constitutes an acceptable medical device.”
You can read the full report at RunSafe Security’s website.
Related: 3 surprising cybersecurity risks in medical device software
